I'm faced with bit of a problem. I have a setup with an ACE loadbalancer which loadbalances PASV ftp traffic across two ftp-servers. Behind the ACE, we have a firewall, with a dmz where the ftp-servers reside.
When we disable to 'masquerade' feature on the ftp-server, that is we don't inform the ftp-client of the external ip-address on the ACE, but rather send the actual rfc1918 ftp-server address with the PASV respond, it works for some client. Somehow, some clients are able to disregard the rfc1918 address and instead use the public address used during the initial setup. Other clients don't work.
But when we insert the actual public ip on the ftp-server, the connection is broken, when the client attempts to enter PASV mode. The firewall in front of the ftp-server issues the following msg:
%FWSM-4-406002: FTP port command different address: x.x.x.x(y.y.y.y) to z.z.z.z on interface Websrv-DMZ-Prod
x.x.x.x = actual ftp-server address
y.y.y.y = public ftp-server address (masqueraded)
z.z.z.z = nat-address on ACE for client ftp-requests to avoid asymmetric routing
We've tried to diable src.nat on the ACE (the z.z.z.z address is the NAT-address of external client requests), but the problem persists. So far, we attribute this to ftp-inspection, which is enabled. We do not, however, wish to disable ftp-inspection, but rather we're looking into a way to selectively disable ftp-inspection for this particular flow.
Is there any way to achieve this?